Dangerous Conversations

8 Aug 2011

By Kevin Coleman -- Defense Tech Cyberwarfare Correspondent

Perhaps the most frequent comment about “Cyber” is – why do we just sit here and take it! We should fire back! I am not saying that we do not or have not returned cyber fire, but the major stumbling block is attribution. This is a hot discussion now that some of the details about “Shady Rat” have become public. Some are pointing to China as being the culprit behind the attack. Some conversations are already calling for retaliatory strikes. Is there enough evidence to support these claims?

Attribution (link http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA468859 ) is typically described as “determining the identity or location of an attacker or an attacker’s intermediary.” The word is often used interchangeably with trace-back or “source tracking.” While there are many techniques for investigating and determining attribution, there are as many if not more ways for attackers to hide their tracks. These concealment techniques and lack of international agreements supporting cyber attack investigation and many other legal and political issues combine to make attribution very difficult. This difficulty cast doubt over the statements that divulge who was behind the attack.

What is reasonable doubt in the context of a cyber attack? According to the Lectric Law Library's Lexicon, REASONABLE DOUBT is the level of certainty a juror must have to find a defendant guilty of a crime. A real doubt, based upon reason and common sense after careful and impartial consideration of all the evidence, or lack of evidence, in a case. Proof beyond a reasonable doubt, therefore, is proof of such a convincing character that you would be willing to rely and act upon it without hesitation in the most important of your own affairs. However, it does not mean an absolute certainty. If this is what we use in cyber attribution, we may never return fire.

This is not a criminal proceeding! While the degree of certainty must be factored in to whether or not to retaliate and determine what retaliatory measure will be taken (kinetic versus digital), the current legal definition is problematic. The level of confidence/reasonable doubt, as related to cyber warfare, has no case law to provide guidance. How will we determine that threshold?